Risk Management
Challenge accepted
Entrepreneurship and taking risks go hand in hand. Because risks need to be taken in order to grow. And as an organization grows, so does the number of risks, their scope, and their impact. For this reason, we continuously optimize our risk management.

Risks & opportunities

We balance risks and their impact with the opportunities and advantages they offer. This allows us to maximize the benefits of a risk while minimizing the consequences.

Risk culture

Risks can occur anywhere in the organization. So it is important that every Coolbluer is aware of risks and can identify them. This is why every Coolbluer is responsible for managing their own risks. They are supported in this by our Risk & Internal Control, Tax, Safety, Security & Fraud, Tech Security, Finance, and Legal departments. The Management Board bears the ultimate responsibility for risks. This approach allows us to create a culture in which risk management stays top of mind throughout the organization and in which risks are managed when and where they occur.

Internal guidelines

To provide Coolbluers with the means to decide how to go about a risk, we have various internal policies in place, which are in part based on external regulation. These policies are written in an honest, direct, and open manner and are easily available to every Coolbluer in multiple languages. We periodically review these policies to ensure they continue to meet legislative demands. Examples of our internal guidelines are:

  • The Workguide (the employee guidebook);
  • The Friend Code (our code of conduct);
  • How can Coolblue help me with undesirable situations? (our whistleblower policy);
  • What happens if I cheat? (our anti-fraud policy); and
  • What if I don’t stick to the Coolblue agreements? (our disciplinary policy).

Increasing awareness

We make an effort to always maintain a high level of risk awareness. To this end, we offer e-learning modules and training courses that address topics such as information security, the GDPR, labor law, competition law, tax law, and integrity. In 2023, we added new training courses about the new environmental legislation.

Risk profile summary

We identified and listed the risks that could impact the realization of our strategic goals.

Risk identification & assessment

Our risk management focuses on 4 categories: strategic risks, operational risks, finance & reporting risks, and compliance risks. To create a risk profile for each risk, we conduct various top-down and bottom-up risk assessments. We have prioritized the most relevant risks in yearly Strategic Risk Assessment with managers and the Management Board. The results have been discussed with both the Audit Committee and the Supervisory Board.

Risk profile

In 2023, we identified and profiled 11 risks. This is 1 less than in 2022, when we considered Health crisis to still be a disruptive factor to our operations. In 2023, with the integrated learnings from the past few years, we feel that the mitigating measures in place would prevent an impact on the scale we have seen before. Of course, elements of this risk remain included in other risks. The 11 identified risks rated on a 5-point scale based on their likelihood, impact, and our risk appetite.

Likelihood
Likelihood is the first scale on which we rate a risk. It defines the probability that a risk will occur within 2 years.

Impact
Impact forms the second scale on which we rate a risk. Here, we assess to what extent a risk would negatively affect the achievement of our goals, promises, and ambitions.

Risk appetite
The third and final scale, risk appetite, is based on the former 2. It defines our willingness to run or take a risk. The lower the appetite, the better our risk management has to be arranged. On the other hand, we sometimes need a higher risk appetite to achieve our strategic goals.

Strategic Risks

  1. Reputation

Coolblue has a strong reputation. We want to uphold this reputation and prevent any damage to it, as this could negatively influence our business. At the same time, we continue to expand our business, also internationally. This expansion of our playing field and the increase in our brand awareness mean that the risks we have identified could have a larger impact on our reputation.

In the assessment of this risk, it became apparent that the overarching risk remained unchanged in 2023. Coolblue is a strong brand that delivers on its promise and has earned the customer’s trust by doing so. To safeguard our reputation, we closely monitor external influences, such as press coverage, and protect ourselves and our customers from parties that unlawfully use our name.

2. Competition

We operate in markets that are highly competitive and dynamic in size. For a number of product types, we see that the market size decreases. Our share in these markets is challenged by vendors who deliver directly to customers at an increasing rate. At the same time, new disruptive technologies arise that are changing the (digital) playing field. Despite these factors, we assume a high risk appetite, because we believe we continue to distinguish ourselves through our approach to customer needs. It allows us to maintain our position and even increase our market share in shrinking markets, thanks to our approach and early adoption of these technologies. The opportunities that follow from these market circumstances are incentives for us to keep going the extra smile for customers. They even help us solidify our position in the market.

3. Economic conditions

The economic conditions that can negatively impact Coolblue’s business are primarily inflation, recession, and a changing market demand. This is because these circumstances directly affect our customers, who then adjust their spending choices accordingly. We mitigate this through constantly monitoring demand, adjusting pricing, evaluating and adapting the supply chain, and monitoring and actively steering on stock levels.

Operational risks

4. Information security & data privacy

Ensuring the safety of our data and technology is vital to Coolblue. We constantly improve our cyber- and information security controls and do everything in our power to secure our (customer) data, prevent hacks and data leaks, and minimize the impact an incident may have. This applies to both data we generate ourselves and information that customers provide us with, for example when they place an order. We continuously improve our (cyber) resilience by implementing and optimizing our detection and response controls and processes.

5. Availability of systems & critical processes

We constantly apply optimizations in our operations, such as mechanization in our warehouse. As a result, our dependency on technology increases. The impact of disruptions also increases, for instance in our automated picking process. To minimize the chance of this happening, we reviewed our critical operations, dependencies on suppliers, and continuity and fallback procedures. For each, we have identified our critical operations and risks. This allows us to minimize the odds of a disruption and the downtime that follows. At the same time, we optimized how quickly we can restore our operations.

6. Stock management

Stock management risks come in 2 categories: excess stock and insufficient stock. To minimize both, we use algorithms that calculate the expected sales patterns every day, which we align our purchasing activities to. This way, we can order the optimal number of products at all times and closely monitor our stock health.

7. Supply chain continuity

Our business depends on 2 factors: the availability of products and their components, and our ability to deliver them to our customers. We make an effort to safeguard continuity of both. By working very closely with our suppliers, we guarantee a constant supply and use our strong financial structure to realize this. We ensure that we live up to our delivery promise through our own delivery propositions and close collaboration with our delivery partners. As a result, we see a decrease in the likelihood of this risk compared to last year.

8. Attract and retain qualified Coolbluers

Qualified and talented people are key to our success. That is why we are always happy to welcome new Coolbluers and help them build their career within Coolblue. At the same time, the competition for skilled personnel increases. We offer Coolbluers careers rather than jobs, in which we help them continuously refine their skillset. For example, we offer them various training courses at our in-house training facilities. This way, we actively help them build their career within Coolblue.

9. Health, safety, and environment

The health and safety of our Coolbluers is of the highest importance to us. To safeguard both, we have procedures in place that outline in detail how to act in certain situations. What to do in case of an emergency, for example. We continue to diversify in the products and services we offer. To also ensure the safety of the Coolbluers who carry out the physical component of these new propositions, we actively provide training courses to prepare them for this.

Finance & reporting risk

10. Finance and liquidity

Our operations are financed by our operating cash flow, a negative working capital, and reinvestment of our profits. Because we continuously improve our underlying debtor management, stock management, and treasury processes, we are always able to meet our payment obligations. We continually monitor our exposure and liquidity to minimize the risk and have sufficient cash and credit lines available. Operating in the energy supply business includes related sourcing risks, collateral risks, and credit risks on suppliers, but also a higher demand for energy-saving products. We manage these risks through strong monitoring and scenario planning, and they are further mitigated by our strong cash position.

Compliance risk

11. Regulatory compliance

We continue to grow and expand in other countries and markets, such as Germany and the Dutch energy market. Additionally, we continue to develop our private label brands. As a result, there is an increasing amount of legislation we need to adhere to. We want to ensure our full compliance with all (announced) governing legislation, such as the NIS2 and CSRD, simply because it is the right thing to do.

We have a zero-tolerance approach to bribery, corruption, fraud, and any other form of (illegal) misconduct. This is strongly highlighted in our code of conduct and other internal guidelines, which are made available to our partners and every Coolbluer. We also offer mandatory training courses that are geared to the relevant legislation within departments. This further ensures our consistent compliance.

Enhancement of our risk management system

As Coolblue grows, so do our Risk & Internal Control, Tax, Safety, Security & Fraud, Tech Security, Finance, and Legal departments. To improve our risk management in 2023, Risk Coordinators were appointed for each specific domain. It is their responsibility to coordinate the risk management activities within their respective domain. Ultimately, we want them to actively carry out the risk managing function, allowing our centralized Risk & Internal Control department to assume a supporting, monitoring, and overseeing role. A summary of the status of internal control and issue tracking is discussed monthly with domain management and the Management Board.

Cybersecurity

We have further reinforced organization-wide security awareness with an online training program for Coolblue and a specialized training course for Coolblue Energy. Various initiatives have been started to strengthen our security posture, such as pre-scan for the NIS2 directive specifically for cybersecurity in our Energy domain. Additionally, we performed several audits in the Information Technology (IT) and Operation Technology (OT) domains, for example of the critical warehouse processes. We also improved the monitoring, response, and reporting of cyber threats.

Fraud Detection and Prevention

In order to further prevent fraud throughout our organization, our Loss Prevention department has been merged with our Safety, Security, and Fraud team. This allowed for a closer collaboration within the disciplines, which in turn led to improved results for each of them.

Safeguarding privacy

We have an unceasing focus on the protection of data, both our own and our customers’. To ensure that this remains top of mind for each and every Coolbluer, we will continue to further develop existing educational courses and roll out training courses that are tailored to our specific domains. In addition, we will continue to monitor existing processes to identify potential improvements to further ensure the safety of information we store. Additionally, we keep a close eye on, among other things, the changing legislation with regards to (third-party) cookies.

Looking ahead

We are pleased with the steps we were able to take in 2023 in improving our risk management and internal control framework. They will form a solid basis for further enhancements we have planned for 2024. We will further strengthen internal control, broaden our risk assessment activities in terms of IT, and enhance our cybersecurity posture.